2.
CRYPTOGRAPHY
2.
Cryptography
2.5.
19
ElGamal cryptosystems and Discrete logarithms
Definition
Let G be a cyclic group of order n and let α be a generator of G. For each A ∈ G there exists an
unique 0 ≤ a ≤ n − 1 such that A = αa . The exponent a is called the discrete logarithm of A in
base α. It is denoted by logα A.
Example
The group (ZZ /13ZZ )∗ is a cyclic group of order 12, with [2]13 a generator.
A
log[2]13 A
[1]13
0
[2]13
1
[3]13
4
[4]13
2
[5]13
9
[6]13
5
[7]13
11
[8]13
3
[9]13
8
[10]13
10
[11]13
7
[12]13
.
6
Example
The group (ZZ /nZZ , +, [0]n ) is a cyclic group of order n. α = [a]n is a generator if and only if
gcd(a, n) = 1. Let B = [b]n ∈ G and l = logα B. Then B = αl , so b ≡ al (mod n). But α is
invertible in ZZ /nZZ , so l ≡ ba−1 (mod n).
The difficulty of taking discrete logarithms depends on the group. For the groups (ZZ /pZZ )∗ , p
a prime number, the problem is considered hard.
2.5.1.
Diffie-Hellman
Alice and Bob want to communicate via an unsecured channel using a symmetric cryptosystem, for
example AES. They need to communicate the key used to each other. The following protocol gives
them a way of doing so. It its security is based on the difficulty of taking discrete logarithms in
(ZZ /pZZ )∗ , p a prime number.
Diffie-Hellman Key Exchange
Alice (on her own or together wit Bob) chooses a prime number p and a generator [α]n of (ZZ /pZZ )∗ .
Alice chooses an a ∈ {0, 1, . . . , p − 2} and computes A ≡ αa (mod p).
Alice sends A (with α and p) to Bob.
Bob chooses a b ∈ {0, 1, . . . , p − 2} and computes B ≡ αb (mod p).
Bob sends B to Alice.
Alice computes B a (mod p) and Bob computes Ab (mod p).
Since
B a ≡ (αb )a ≡ αab ≡ (αa )b ≡ Ab (mod p),
Alice and Bob have computed the same number K = αab (mod p). This number K can be used as
they key for the symmetric cryptosystem they use (or the first 128 bits of K written in base 2 or
something similar).
Example
Alice chooses p = 17 and α = 3 as a generator of (ZZ /17ZZ )∗ . She chooses a = 7 and computes
37 (mod 17) = 11. She sends p = 17, α = 3 and A = 11 to Bob. Bob chooses b = 4 and computes
34 (mod 17) = 13 and sends B = 13 to Alice.
Alice computes B a = 137 (mod 17) = 4 and Bob computes Ab = 114 (mod 17) = 4. Their key is 4.
Remarks
2.
CRYPTOGRAPHY
20
1. The protocol also works in other groups. One needs to choose an α ∈ G of large order.
2. The security of the protocol is not based on the secrecy of the prime p.
3. Alice needs to find a generator of (ZZ /pZZ )∗ , which is a group of order p − 1. She can’t always
factorize p − 1. Alice could take p = 2q + 1, with q a (large) Sophie Germain prime. Now she has
an efficient way of choosing a generator (ZZ /pZZ )∗ .
In the example Eve and Oscar are in the possession of p = 17, α = 3, A = 11 and B = 13. They
want to calculate K. Since A = 11 ≡ 3a (mod 17) and B = 13 ≡ 3b (mod 17), we have a = log3 11
and b = log3 13. If they can compute one of these discrete logarithms then they can compute K,
since K ≡ B a ≡ Ab (mod 17). But there might be other ways of finding K.
The problem Eve and Oscar need solve is called the Diffie-Hellman problem.
Diffie-Hellman problem
Given a prime p, a generator [α]p of (ZZ /pZZ )∗ , and two numbers A and B determine K, where
A ≡ αa (mod p), B ≡ αb (mod p) and K ≡ αab (mod p).
One can state this in terms of elements in a group: Given a group G, an element α ∈ G of large
order and two elements A, B ∈ hαi, determine K, where K = αab and A = αa , B = αb .
The difficulty in solving the Diffie-Hellman problem depends on the group G. For (ZZ /pZZ )∗ it is
considered a hard problem. As for now taking discrete logarithms seems to be the only solution,
but no efficient algorithm is known at this moment.
Man in the middle attack
Suppose Alice and Bob want to use the Diffie-Hellman Key exchange to exchange a key but the
channel is controlled by Eve and Oscar. Alice chooses p, α and a ∈ {0, 1, . . . , p − 2}, computes
A = αa (mod p) and sends p, α and A to Bob. Eve and Oscar intercept the message and they choose
an e ∈ {0, 1, . . . , p − 2} and compute E = αe (mod p). Oscar fakes to be Bob and sends E to Alice.
Alice computes K1 = E a (mod p) and Oscar computes K1 = Ae (mod p). Eve fakes to be Alice and
sends p, α and E to Bob. Bob chooses a b ∈ {0, 1, . . . , p − 2}, computes B = αb (mod p) and sends
B back to the fake Alice. Bob computes K2 = E b (mod p) and Eve computes K2 = B e (mod p).
Alice
A = αa
−→
K 1 = Ae = E a
←−
Eve and Oscar
E = αe
−→
K2 = E b = B e
←−
Bob
B = αb
Alice thinks she is sharing the key K1 with Bob. Bob thinks he is sharing the key K2 with Alice.
When Alice sends a message to Bob she uses the key K1 . Eve and Oscar use the key K1 to read the
message and then use the key K2 to encrypt it and send it to Bob. The message received by Bob
is encrypted with the key K2 , which is the key he thinks he shares with Alice. Bob has no reason
to believe he is not talking to Alice. Nor does Alice when she receives messages from Bob. In this
way Eve and Oscar can read all the correspondence between Alice and Bob without them suspecting
anything. In order to protect them self of the ”man in the middle attack” Alice and Bob need first
to authenticate them self before exchanging a key. The authentication can be done via a public key
cryptosystem.
2.5.2.
ElGamal public key cryptosystem
We describe the cryptosystem in a non formal way. Alice chooses a prime p, a generator [α]p ∈
(ZZ /pZZ )∗ and an a ∈ {0, 1, . . . , p − 2}. She computes A = αa (mod p). Her public key is (p, α, A).
Her secret key is a, so the private key space is Ks = {0, 1, . . . , p − 2}. The plain text and cipher text
spaces are P = ZZ /pZZ and C = (ZZ /pZZ )∗ × ZZ /pZZ .
The encryption is as follows:
2.
CRYPTOGRAPHY
21
Bob wants to send m to Alice. He chooses a b ∈ {0, 1, . . . , p − 2}, computes B = αb (mod p) and
then computes c = Ab m (mod p). The cipher text is (B, c).
The decryption is as follows:
Alice computes B x c (mod p), where x = p − 1 − a. Since
B x ≡ (αb )p−1−a ≡ αb(p−1) α−ab ≡ (αab )−1 (mod p)
and
c = Ab m ≡ αab m (mod p)
it follows that B x c ≡ m (mod p).
Remark
Alice and Bob are interchanging the Diffie-Hellman key K = Ab = B a (mod p). Alice made her
part A public, Bob provides Alice with his part B of the key in the first part of the encrypted
message. Bob multiplies in ZZ /pZZ the message m with Ab . Thus he multiplied the message with
the Diffie-Hellman key and sends that with his part B of the Diffie-Hellman key to Alice. Alice
computes B x ≡ K −1 (mod p), which is the inverse of the Diffie-Hellman key and multiplies that
with c to obtain the original message.
Example
Alice takes p = 23, α = 7 and a = 6. Then A = 76 ≡ 4 (mod 23). The public key of Alice is
(p = 23, α = 7, A = 4).
Suppose Bob wants to send 2 to Alice. He takes the public key (p = 23, α = 7, A = 4) of Alice
and chooses b = 3. He computes B = 73 ≡ 21 (mod 23) and c = 43 · 2 ≡ 18 · 2 ≡ 13 (mod 23). The
cipher text is (B = 21, c = 13), which he sends to Alice. Alice first calculates K −1 = (B a )−1 ≡
((21)6 )−1 ≡ 18−1 ≡ 9 (mod 23) and then K −1 c ≡ 9 · 13 ≡ 2 (mod 23).
Remarks
1. Using a plain text space of the about the same size in RSA and ElGamal results in ElGamal in
a cipher text space which about double the size as the cipher text space of RSA.
2. Bob chooses b arbitrary. So for Eve and Oscar c is arbitrary too.
3. Both A and B are powers of α, so are in the group generated by α. The key K is a power of A
and B. Since A and B are public their order should be large for otherwise K can be computed.
Thus gcd(a, p − 1) and gcd(b, p − 1) should be small.
4. The set up can also be made using groups different from (ZZ /pZZ )∗ using an element of large
order.
Lemma 2.5.1 The security of ElGamal is equivalent to the Diffie-Hellman problem.
Proof. Suppose Eve and Oscar have a way of solving the Diffie-Hellman problem. That is they are
in the possession of a black box, that from given p, α, A and B, calculates K, where K = αab with
a = logα A and b = logα B. The correspondence between Alice and Bob contains the public key p, α,
A and the cipher text (B, c). Feeding p, α, A and B to their black box they obtain K. They then
can calculate K −1 and K −1 c = m. Hence Eve and Oscar can read the message m.
Suppose Eve and Oscar have a way of reading ElGamal messages. That is they are in the possession
of a black box, that from given p, α, A and (B, c), calculates m, where m = (αab )−1 c with a = logα A
and b = logα B. Eve and Oscar are in the possession of p, α, A and B. If they give p, α, A and
(B, 1) to the black box, it will calculate (αab )−1 . But this is K −1 and so they can obtain K. Hence
they can solve the Diffie-Hellman problem. 2
Lemma 2.5.2 Bob should vary his choice of b.
2.
CRYPTOGRAPHY
22
Proof. Suppose that Bob in his correspondence with Alice sends two messages m1 and m2 having
chosen the same number b. The cipher texts are (B, c1 ) and (B, c1 ), where c1 ≡ Ab m1 (mod p)
b
b
−1
and c2 ≡ Ab m2 (mod p). If m2 is invertible, then so is c2 and since c1 c−1
≡
2 ≡ (A m1 )(A m2 )
−1
m1 (m2 ) (mod p), it follows that if Eve and Oscar know the pair (m2 , c2 ) they can compute
c1 c−1
2 m2 ≡ m1 (mod p). 2
2.5.3.
Pohlig-Hellman algorithm
Let p be a prime number and α a generator of (ZZ /pZZ )∗ , so o(α) = p − 1. Given β ∈ (ZZ /pZZ )∗ the
algorithm calculates the discrete logarithm logα β, that is it finds 0 ≤ x ≤ p − 2 with αx = β. In
order to do this it suffices to find x (mod p − 1)
Let p − 1 = q1r1 q2r2 · · · qnrn be the factorization in primes. Thus for i, j ∈ {1, 2, . . . , n}, we have
that qi is a prime with qi 6= qj if i 6= j, and ri ≥ 1 with qiri |p − 1, but qiri +1 6 |p − 1. Observe that if,
for each i ∈ {1, 2, . . . , n}, x (mod qiri ) is known, then the Chinese Remainder Theorem will allows
us to determine x (mod p − 1), and so x.
Let q be a prime and r ≥ 1, with q r |p − 1 and q r+1 6 |p − 1. The following algorithm allows us to
calculate x (mod q r ).
Let x = x0 + x1 q + x2 q 2 + x3 q 3 + · · · + xr q r + · · ·, with 0 ≤ xi ≤ q − 1 (so x is written in base q).
In oder to calculate x (mod q r ) it suffices to calculate x0 , x1 , . . . , xr−1 .
p−1 p−1
p−1
Z
Since p − 1 is divisible by q, q 2 , q 3 , . . . , q r , we have p−1
q , q2 , q3 , . . . , qr ∈ Z
The element α
reference:
p−1
q
has order q. We list the elements of the group generated by it in a table of
k
(α
p−1
q
Let β0 = β, so β0 = αx0 +x1 q+x2 q
p−1
β0 q = α
0
2
p−1
q
1
+...
. Since
)
2
1
k
p−1
2
q (x0 +x1 q+x2 q ...)
α
(α
p−1
q
)
2
...
q−1
...
(α
p−1
q
p−1
q )+(p−1)(x1 +x2 q+···)
= αx0 (
)q−1
= αx0 (
p−1
q )
= αx1 (
p−1
q )
= αx2 (
p−1
q )
= (α
p−1
q
)x0 ,
p−1
q
)x1 ,
p−1
q
)x2 ,
x0 can be determined with the reference table.
Let β1 = β0 α−x0 , so β1 = αq(x1 +x2 q+...) . Since
p−1
2
β1 q
=α
p−1
2
q (x1 +x2 q+x3 q ...)
p−1
q )+(p−1)(x2 +x3 q+···)
= αx1 (
= (α
x1 can be determined with the reference table.
2
Let β2 = β1 α−x1 q , so β2 = αq (x2 +x3 q+...) . Since
p−1
3
β2 q
=α
p−1
2
q (x2 +x3 q+x4 q ...)
p−1
q )+(p−1)(x3 +x4 q+···)
= αx2 (
= (α
x2 can be determined with the reference table.
..
.
Let βr−1 = βr−2 α−xr−2 q
p−1
qr
βr−1 = α
r−2
, so βr−1 = αq
p−1
q (xr−1 +xr q+...)
r−1
(xr−1 +xr q+...)
= αxr−1 (
. Since
p−1
q )+(p−1)(xr +···)
= αxr−1 (
p−1
q )
= (α
p−1
q
)xr−1 ,
xr−1 can be determined with the reference table.
We have found x0 , x1 , . . . , xr−1 and thus also x ≡ x0 + x1 q + x2 q 2 + x3 q 3 + · · · + xr−1 q r−1 (mod q r ).
Note that the algorithm finishes automatically as at the next step qp−1
r+1 is not an integer.
2.
CRYPTOGRAPHY
23
Example
Let p = 1373. The group (ZZ /1373ZZ )∗ is cyclic of order 1372 = 22 · 73 . Let α = [2]1373 . Since
3
2 2
22·7 ≡ −1 (mod 1373) and 22 ·7 ≡ 333 (mod 1373), o([2]1373 ) = 1372 and so α is a generator.
Let β = [801]1373 . We determine logα β using the Pohlig-Hellman algorithm. Thus we determine
0 ≤ x ≤ 1372 with 2x ≡ 801 (mod 1373).
Determination of x (mod 22 ).
Write x = x0 + x1 2 + x2 22 + . . .. Since
1372
2
k
([2686 ]1373 )k
= 686, the reference table is
0
[1]1373
1
.
[1372]1373
p−1
β0 2 ≡ 801686 ≡ 1372 (mod 1373). Hence x0 = 1, and β1 = β0 α−1 ≡ 801·2−1 ≡ 1087 (mod 1373).
p−1
β1 22 ≡ 1087343 ≡ 1372 (mod 1373). Hence x1 = 1.
Hence x ≡ 1 + 1 · 2 ≡ 3 (mod 22 ).
Determination of x (mod 73 ).
Write x = x0 + x1 7 + x2 72 + x3 73 . . .. Since
k
([2196 ]1373 )k
0
[1]1373
1
[333]1373
1372
7
2
[1049]1373
= 196, the reference table is
3
[575]1373
4
[628]1373
5
[428]1373
6
.
[1105]1373
p−1
β0 7 ≡ 801196 ≡ 1049 (mod 1373). Hence x0 = 2, and β1 = β0 α−2 ≡ 801·2−2 ≡ 1230 (mod 1373).
p−1
β1 72 ≡ 123028 ≡ 575 (mod 1373). Hence x1 = 3 and β2 = β1 α−3·7 ≡ 1230·2−21 ≡ 1049 (mod 1373).
p−1
β2 73 ≡ 10494 ≡ 333 (mod 1373). Hence x2 = 1.
Hence x ≡ 2 + 3 · 7 + 1 · 72 ≡ 72 (mod 73 ).
We have found that
x ≡ 3
x ≡ 72
(mod 4)
.
(mod 343)
Hence, by the Chinese Remainder Theorem, x ≡ 415 (mod 1372). So x = 415. We can check our
answer: 2415 ≡ 801 (mod 1373), which is correct.
Example
Determine 0 ≤ x ≤ 40 with 7x ≡ 12 (mod 41).
We have p = 41, α = [7]41 and β = [12]41 . Thus p − 1 = 40 = 23 · 5.
Determination of x (mod 23 ).
Write x = x0 + x1 2 + x2 22 + x3 23 . . .. Since
k
([720 ]41 )k
40
2
= 20, the reference table is
0
[1]41
1
.
[40]41
p−1
β0 2 ≡ 1220 ≡ 40 (mod 41). Hence x0 = 1, and β1 = β0 α−1 ≡ 12 · 7−1 ≡ 31 (mod 41).
p−1
β1 22 ≡ 3110 ≡ 1 (mod 41). Hence x1 = 0, and β2 = β1 α−0·2 ≡ 31 · 70 ≡ 31 (mod 41).
p−1
β2 23 ≡ 315 ≡ 40 (mod 41). Hence x2 = 1.
Hence x ≡ 1 + 0 · 2 + 1 · 22 ≡ 5 (mod 23 ).
Determination of x (mod 5).
2.
CRYPTOGRAPHY
24
Write x = x0 + x1 5 + . . .. Since
k
([7 ]41 )k
8
40
5
= 8, the reference table is
0
[1]41
1
[37]41
2
[16]41
3
[18]41
4
.
[10]41
p−1
β0 5 ≡ 128 ≡ 18 (mod 41). Hence x0 = 3. Hence x ≡ 3 (mod 5).
We have found that
x ≡ 5 (mod 8)
.
x ≡ 3 (mod 5)
Hence, by the Chinese Remainder Theorem, x ≡ 13 (mod 40). So x = 13. We can check our answer:
713 ≡ 12 (mod 41), which is correct.
Remark
The Pohlig-Hellman algorithm is efficient if the factorization of p − 1 in to primes does not involve
large primes.
2.5.4.
Index Calculus
Let p be a prime number and α a generator of (ZZ /pZZ )∗ , so o(α) = p − 1. Given β ∈ (ZZ /pZZ )∗ the
method calculates, if you are lucky, the discrete logarithm logα β, that is it finds 0 ≤ x ≤ p − 2 with
αx = β. In order to do this it suffices to find x (mod p − 1)
Let B = {p1 , p2 , . . . , pr } a set of primes different from p and let a, b ∈ ZZ such that α = [a]p
and β = [b]p . For i ∈ {1, 2, . . . , r}, we have [pi ]p ∈ (ZZ /pZZ )∗ . Since [pi ]p = αlogα [pi ]p , we have
pi ≡ alogα [pi ]p (mod p).
First we attempt to calculate logα [pi ]p for i ∈ {1, 2, . . . , r}. This can be done as follows: Find
xj ∈ ZZ such that αxj ∈ h[pi ]p | 1 ≤ i ≤ ri. That is, the number axj (mod p) factorizes in primes
a
a
a
contained in B. Say, axj ≡ p1 1j · p2 2j · · · pr rj (mod p). Thus
xj ≡ a1j logα [p1 ]p + a2j logα [p2 ]p + · · · + arj logα [pr ]p (mod p − 1),
where the values af ai,j are determined from the factorization in primes of axj (mod p).
If one can find enough of these numbers xj such that the equations are linear independent, then one
can solve the system of linear linear equations, and find logα [pi ]p for i ∈ {1, 2, . . . , r}.
Next find an s ∈ ZZ such that βαs ∈ h[pi ]p | 1 ≤ i ≤ ri. That is, the number bas (mod p)
factorizes in primes contained in B. Say, bas ≡ pb11 · pb22 · · · pbrr (mod p). Thus
x + s ≡ b1 logα [p1 ]p + b2 logα [p2 ]p + · · · + br logα [pr ]p (mod p − 1),
where b1 , b2 , . . . , br ∈ ZZ are determined from the factorization in primes of bas (mod p). Hence x
can be determined.
Example
Let p = 10007, α = [5]10007 and β = [9451]10007 .
Let B = {2, 3, 5, 7}. We have
Let x1 = 4063, then 54063 ≡ 42 (mod 10007) and 42 = 2 · 3 · 7.
Let x2 = 5136, then 55236 ≡ 54 (mod 10007) and 54 = 2 · 33 .
Let x3 = 9865, then 59865 ≡ 189 (mod 10007) and 189 = 33 · 7.
Let x4 = 1, then 51 ≡ 1 (mod 10007) and 5 = 51 .
To simplify notation let log5 s = log[5]10007 [s]10007 , for s ∈ ZZ with gcd(10007, s) = 1.
Hence

4063 ≡
log5 2
+
log5 3
+ log5 7 (mod 10006)



5136 ≡
log5 2
+ 3 · log5 3
(mod 10006)
.
9865
≡
3
·
log
3
+
log
7
(mod
10006)

5
5


1
≡
log5 5
(mod 10006)
2.
CRYPTOGRAPHY
25
Solving the linear system gives log5 2 = 65878, log5 3 = 6190, log5 5 = 1 and log5 7 = 1301.
Take s = 7736, then 9451 · 57736 ≡ 8400 (mod 10007) and 8400 = 24 · 31 · 52 · 71 . Hence
x + 7736 ≡ 2 · log5 2 + 1 · log5 3 + 2 · log5 2 + 1 · log5 7 (mod 10006).
It follows that x = 6057.
2.5.5.
Shank’s Algorithm
Let p be a prime number and α a generator of (ZZ /pZZ )∗ , so o(α) = p − 1. Given β ∈ (ZZ /pZZ )∗ the
method calculates the discrete logarithm. Recall that it sufices to find the number modulo p − 1.
The algorithm is based on the following observation:
√
Lemma 2.5.3 Let p be a prime number, m = d pe, α a generator of (ZZ /pZZ )∗ , and β ∈ (ZZ /pZZ )∗ .
Then there exist k, r ∈ ZZ with 0 ≤ k, r ≤ m − 1 such that αmk = βα−r .
√
Proof. Suppose β = αx , with 0 ≤ x ≤ p − 1. Let m = d pe. Then x = mk + r for some k, r ∈ ZZ
2
with 0 ≤ r ≤ m − 1. If k ≥ m, then x = mk + r ≥ m + r ≥ m2 ≥ p > p − 1, a contradiction. So
0 ≤ k, r ≤ m − 1. Now β = αx = αmk+r = αmk αr , so αmk = βα−r . 2
Shank’s Algorithm:
Let L1 = {(j, αjm ) | 0 ≤ j ≤ m − 1} and L2 = {(i, βα−i ) | 0 ≤ i ≤ m − 1}. Sort the lists according
to the second coordinate. Find (j0 , y) ∈ L1 and (i0 , y) ∈ L2 (that is, find a pair in L1 and one in L2
that have the same second coordinate). Then logα β ≡ mj0 + i0 (mod (p − 1)).
The lemma shows that at least one such a pair (j0 , y) ∈ L1 and (i0 , y) ∈ L2 exists. Moreover, for
such a pair we have y = αj0 m = βα−i0 . That is αj0 m αi0 = β, hence αmj0 +i0 = β = αx . Thus we
have x ≡ mj0 + i0 (mod (p − 1)).
Example
Let p = 97 and α = [5]97 , hence m = 10. We compute the discrete logarithm of β = [34]97 .
i [34]97 ([5]97 )−i
j ([5]97 )10j
0
[1]97
0
[34]97
[53]97
[65]97
1
1
2
[93]97
2
[13]97
3
[79]97
3
[22]97
[16]97
[82]97
4
4
5
[72]97
5
[94]97
[33]97
[77]97
6
6
7
7
[3]97
[93]97
8
[62]97
8
[28]97
9
9
[85]97
[27]97
We see that the second entry of the two lists coincide for j = 2 and i = 7, so logα β = 27.